As a quality and testing professional, one should look at all aspects of Software Quality. This is part of the risk strategy, although in security world, as industry security expert Adam Shostack puts it, risk is different from a security threat. A threat can happen, and it is important to identify, and try to prevent or avoid the threat from happening. Especially so in these days of software controlling and taking autonomous decisions through Agentic AI and other means. One such instance is the security in autonomous vehicles. In this article, we will look at strategies for security testing for Autonomous vehicles.
Starting With The First Principles
Like everything in security testing, I would recommend starting with the first principles. That is to start with threat modeling. Threat modeling is usually done in a 4-step plan. Once we identify:
- What are we dealing with
- What can go wrong
- What are we going to do about it
- Did we do a good job
With automotive vehicles, some of the threats that could face are:
- Manipulation of firmware
- Exploiting keyless entries
- Vehicle / Driver related data breaches
- Vehicle takeover attacks done remotely
Preventing and Mitigating Threats
One of the foremost things that could be done in preventing and mitigating threats is to assess if the autonomous vehicles are built according to the safety and security specifications for the country in which the vehicle would be operated. There are country specific standards, and since autonomous vehicles are relatively new, these standards are still in development and need a close watch. This is another factor in addition to the threat modeling diagram and the related actions that are taken as part of the threat modeling process. This is followed by vulnerability assessment of the existing known threats and how to fix / patch them in the software. The last, but not the least is to come up with tests that can verify and validate each and every threat identified in the threat modeling diagram, and also come up with attack scenarios that are conducted by the security Red Team.
Conclusion
In this article, we covered the overall, broad-brush strategy of how to approach security testing for autonomous vehicles. Coming up with the threat modeling diagram, taking actions to prevent/mitigate those threats, doing tests along with the red team efforts, as well as doing the vulnerability assessments of existing known vulnerabilities and taking care of them. Hope that provides enough clarity. If your organisation is looking for detailed strategy related to software testing, please feel to get in touch with me. Glad to help!